COMPUTING THE CARDINALITY OF CM ELLIPTIC 
CURVES USING TORSION POINTS 



F. MORAIN 

Abstract. Let £ be an elliptic curve having complex multiplication by 
a given quadratic order of an imaginary quadratic field K. The field 
of definition of £ is the ring class field Q of the order. If the prime p 
splits completely in Q, then we can reduce £ modulo one the factors of 
p and get a curve E defined over ¥ p . The trace of the Frobenius of E 
is known up to sign and we need a fast way to find this sign. For this, 
we propose to use the action of the Frobenius on torsion points of small 
order built with class invariants a la Weber, in a manner reminiscent 
of the Schoof-Elkies-Atkin algorithm for computing the cardinality of a 
given elliptic curve modulo p. We apply our results to the Elliptic Curve 
Primality Proving algorithm (ECPP). 



1. Introduction 

Let K be an imaginary quadratic field of discriminant —D. For any inte- 
ger t, let Ot be the order of conductor t of K, At = —t 2 D its discriminant, 
and ht = h(At) its class number. We denote by Qt the ring class field mod- 
ulo t over K. By class field theory the extension fif/K can be constructed 
using the minimal polynomial of the modular function j over a set of rep- 
resentatives {ii,i2, • • • ,Vi t } of the class group Cl(Ot). An elliptic curve £ of 
invariant j(i r ) is defined over and has complex multiplication (CM) by 
Ot- We denote by H/\ t [j](X) the minimal polynomial of the j's, namely 

ht 



H At [j](X) = H(X-j(x r )) 



r=l 

which is known to have rational integer coefficients. 

Let p be a rational prime number which splits completely in Qj, or equiv- 
alently which is the norm of an integer of fi t (that is p = (U 2 + Dt 2 V 2 )/A for 
rational integers U and V). Then we can reduce £ modulo a prime divisor 
?P of p to get an elliptic curve E/¥ p having CM by Ot- If vr denotes the 
Frobenius of E, then it can be viewed as an element of Ot of norm p, that 
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is (assuming that At {—3, —4}): 



(1) vr = (±U ±tVV^D)/2. 

The cardinality of E(¥ p ) is the norm of ir — 1, or more simply p + 1 =p [/. 

The j-invariant of E/¥ p is the reduction of one of the j(v)'s modulo 
p, that is a root of H(X) = Hj\ t [j](X) modulo p. Building E is done as 
follows: find a root j of H(X), and deduce from that the equation of E. 
When j {0, 1728}, we may take any equation E(j,c): 

Y 2 = X 3 + a 4 (j)c 2 X + a 6 (j)c 3 

where c is any element of F p and 

( 2 ) 04 0') = i ? o! J > a e(i) ~'' 



1728 -j w/ 1728 -j 

We will note -E(j) for 1). If its cardinality is p+l—a, then a curve c) 
has cardinality p + 1 — (£) a (where (|) stands for the Legendre symbol) . A 

curve with = —1 is a twist of E(j). The problem is now to compute 
#E(j) modulo p, or equivalently, fix the sign of U in equation 

In the course of implementing the ECPP algorithm |H] or for cryptographic 
reasons, it is important to compute this cardinality rapidly. We could of 
course try both signs of U yielding cardinalities m, find some random points 
P on E(j) and check whether [m]P = Oe on E. This approach is somewhat 
probabilistic and we prefer deterministic and possibly faster solutions. 

In the case where D is fundamental and prime to 6, the solution is to use 
Stark's approach |2H], together with tricks described in (20] • This method 
is efficient, provided we can afford some precomputations. Note that in the 
special case where ht = 1, which includes j = 0, 1728, one already knows 
the answer (see (31 1131 123] and the references given therein). For D = 20, we 
have the isolated result of |16j (see also section T6.2I below). Since the first 
version* of the present article, Ishii ^2] has given the answer for D of class 
numbers 2 or 3 and divisible by 3, 4, or 5. 

Our approach consists in computing the action of the Frobenius of the 
curve on torsion points of small order, using the techniques of the SEA 
algorithm [22]. These points are obtained using singular values of functions 
on Xq(£) for small prime £. This will give us algorithmic solutions to our 
motivating problem when (-7-) 7^ — 1. 

Section 2 describes properties of the modular equations defining Xq(£) for 
prime £ and their relations to complex multiplication over Q. In Section 3, 
we briefly describe the necessary results used in the SEA algorithm. Section 

4 contains our main contribution. We treat the special cases £ = 3 in Section 

5 and £ = 5 in Section 6. Section 7 describes the very interesting case of 
£ = 7 and for the sake of completeness that of £ = 11. Section 8 is devoted 
to the particular case £ = 2. We provide numerical examples for each case. 



*http://arxiv.org/ps/math.NT/0210173 
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We conclude with remarks on the use of our results in our implementation 
of ECPP. 

The books [El EZl are a good introduction to all the material described 
above. 

2. Modular curves and class invariants 

2.1. Modular polynomials. Let I be a prime number. The curve Xq(1) 
parametrizes the cyclic isogenics of degree I associated to an elliptic curve 
E defined over a field k. An equation for Xq(£) can be obtained as the 
minimal polynomial of a modular function / invariant under T°(£). This 
modular polynomial, noted $>[f](X, J) is such that $[/](/ (z), j(z)) = for 
all z such that Qz > 0, where j(z) is the ordinary modular function. 
Dedekind's r\ function is 

i i/2a n a 

m>l 



T](t) 



q 



where q 
instance 



= exp(2i7rr). It is used to build suitable functions for T°(£) (see for 
[211I221)- For example, if 



tt>t(z) 



ri(z/£) 

Tj(z) 



and s = 12/ gcd(12,£ — 1), then tvf s is a modular function for T°(£). The 
equations for small prime values of £ are given in Table ^ (see for instance 

H2|). 



£ 




2 


(X + 16f - JX 




3 


(X + 27) {X + 3) 3 


- JX 


5 


(X 2 + 10X + 5) 3 


- JX 


7 


(X 2 + 13X + 49) 


(X 2 + 5X + l) 3 - JX 



Table 1. Table of modular equations $[tt)^](X, J). 



Among other classes of functions for other modular groups, we find the 
classical functions of Weber: 

72 (z) = f/j(zj, 73 (z) = y/j(z) - 1728 

for which the corresponding modular equations are quite simple. 

2.2. CM theory. View the class group CI (At) as a set of reduced quadratic 
primitive binary forms of discriminant At, say Cl(At) = {(A, B,C), B 2 — 
4AC = A t } with ht forms in it. For a given Q = (A,B,C), let tq = 
(—B + y/At)/(2A). Then j(tq) is an algebraic integer that generates f^/K. 
Moreover, the associated curve Eq of invariant j( t q) nas CM by Ot- 
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Suppose j(r) G flf If "U is some function on some r°(£), then the roots 
of <I>[u](A, j(r)) are algebraic integers. They generate an extension of fit of 
degree dividing £ + 1. The striking phenomenon, known for a long time, is 
that sometimes these roots lie in fit itself. We will note H& t [u] (A) for the 
minimal polynomial of the invariant u. 

Among the simplest results in this direction, we have the following, dat- 
ing back to Weber |S2]- Suppose a is a quadratic integer with minimal 
polynomial 

Aa 2 + Ba + C = 
such that gcd(A, B, C) = 1 and B 2 - 4AC = A t . 

Theorem 2.1. J/3f A, 3 | B, then 

Q(72(«)) - I Q(j(3a)) . /3|At _ 

A companion result is: 
Theorem 2.2. Suppose 2\A. We assume that 

mod 4 if 2 | A t , 



B 
Then 



lmod4 i/2|A t . 



Q(^D 73 (a)) = Q(i(a)), if 2 f A t , 
Q(73(«)) = Q(j(2a)), i/2|A t . 

Finding a complete system of conjugate values for 72(a) (resp. 73(a)), as 
well as for a lot of such functions, is explained in |24j . 

3. The foundations of the SEA algorithm 

3.1. Division polynomials and their properties. For an elliptic E, we 
let E[n] denote the group of n-torsion points of E (over Q). We let f^ {X) 
(or simply f n (X)) denote the n-th division polynomial whose roots are the 
abscissae of the n-torsion points of E. See [2S1 for its definition and prop- 
erties. For instance for the curve E : Y 2 = A 3 + aX + b, the first values 
are: 

/ (A)=0,/ 1 (A) = 1,/ 2 (A) = 1, 
/ 3 (A) =3A 4 + 6aA 2 + 126A-a 2 , 
f A (X) = 2 A 6 + 10 a A 4 + 40 6 A 3 - 10 a 2 A 2 - 8 a b X - 2 a 3 - 16 b 2 . 
Recurrence relations for computing f n are given by: 

/2n = fn{fn+2fn-l ~ fn-2fn+l)i 

( /„ +2 /^-/„ 3 +i/n-i(16(A 3 + aA + 6) 2 ) if n is odd, 

hn+l = \ 

( 16(A 3 + aX + 6) 2 / n+2 / 3 - / 3 +1 /„-i if n is even. 

Remember that the discriminant of E is A(E) = — 2 4 (4a 3 + 276 2 ). We 
could not find a reference for the following result, though it may be classical. 
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Proposition 3.1. Let m be an integer. Then 

2 4 m (m 2 -i2)/2 ( _ A )(m 2 -4)(m 2 -6)/24 if m is even and > 4, 

(_l)(™~l)/2 m (m 2 -3)/2(_ A )( m 2 -l)(m 2 -3)/24 -y m - fi qM ffi)J(j > 3 



Disc(/„ 



Swan's theorem [3U] can be used easily to predict the number of irreducible 
factors of f n (X) other a finite field. 

3.2. Explicit factors of f^(X). Let E be an elliptic curve. Suppose that 
we have some modular polynomial $>[f](X,J) for a function / on V (£)■ 
Then a root v of <J>[/](X, j(E)) gives rise to a curve which ^-isogenous to E, 
and to a factor of ff(X). This is the essence of the ideas of Elkies and Atkin 
that improve Schoof 's algorithm for computing the cardinality of curves over 
finite fields The computations can be done using Velu's formulas 

|31| (see also |19j for technicalities related to the actual computations). We 
end up with a enable us to compute a factor gf(X) of ff{X). 

In the table below, for prime £, we suppose V£ is a root of $>[tt)g](X, j) and 
we give the factor gf ii] {X) of ff U) (X) that can be obtained in Table EJ 



t 


factor 


2 


(v 2 -8)X + v 2 + 16, 


3 


[v$ + I8v 3 - 27) X + v$ + 30v 3 + 81, 


5 


Of + Av 5 - if (vl + 22 v b + 125) X 2 

+2 (v 2 + 4v 5 -l) (v 2 + Wv 5 + 5) [vl + 22v 5 + 125) X 

+ Of + 22 v 5 + 89) Of + 10v 5 + 5) 2 , 


7 


01 + 14 + 63 v 2 + 70v 7 - 7) a X 3 

+3 0? + 13^7 + 49) (u? + 5t>7 + 1) 01 + 14^7 + 63 + 70t> 7 - 7) 2 X 2 
+3 0? + 13 v 7 + 33) 0? + 13 u 7 + 49) (v% + 5v 7 + lf 

x O7 + 14 + 63wf + 70w 7 - 7) X 
+ 0? + 13 v 7 + 49) 0? + 5w 7 + l) 3 O7 + 26uf + 219-u 2 - + 778u 7 + 881) 



Table 2. Factors of /, 



3.3. The splitting of in F p . We take the following result 

from (see also [2E])- Let i and p be two distinct primes, and E/¥ p an 
elliptic curve. Put #E = p+l—U, V = Ap—U 2 . We denote the splitting type 
of a squarefree polynomial P(X) by the degrees of its factors. For instance, 
a polynomial of degree 4 having two linear factors and one quadratic factor 
will be said to have splitting type (1)(1)(2). 

Theorem 3.1. Let f be a function for F e and put ^(X) = ®[f](X,j(E)) mod 
p. 

If (-2) = 0, then f splits as (!)(£) or (!)••• (1). 



6 



F. MORAIN 



If (— ) = +1, then \I> splits as (l)(l)(r) • • • (r) where r \ I — 1 and r > 1 



i/^2. 



// (-J-) = —1, i/ien ^ sp/iis as (r) • • • (r) where r > 1 and r | £ + 1. 
// /c denotes the number of factors o/\&, t/ien (— l) fc = (j) . 



We can make precise the first part of the theorem as follows: 

Theorem 3.2. Let p = (U 2 + DV 2 )/A. Ift\V, then hast + l roots 

modulo p. 

Proof: See Kohel's thesis [Tl|. □ 

3.4. Elkies's ideas. We briefly summarize Elkies's idea [Hlj- Let it be the 
Frobenius of the curve, sending any point P = (x,y) of E(¥ p ) to (x p ,y p ). 

Theorem 3.3. Let x(X) = X 2 — {/X + p denote the characteristic poly- 
nomial of the Frobenius ir of the elliptic E of cardinality p + 1 — U. When 
(— p) 7^ — 1, the restriction of tt to E[£] (denoted by tt\e[£\) has at least one 
eigenvalue. To each eigenvalue A of tt\e[£] corresponds a factor of degree 
{I - l)/2 of f £ . We deduce that U = A +p/X mod i. 

We will note gi^\{X) the factor of ff (X) associated to the eigenvalue 
A. Let <jj denote the order of A modulo i and a = tu/2 if to is even and uj 
otherwise. With these notations, one can show the following result: 

Proposition 3.2. The splitting type of g^^\{X) mod p is (o~)(o~) ■ ■ ■ (a) with 
k factors such that (£ — l)/2 = kg . 

From this, we deduce: 

Corollary 3.1. The polynomial gi^\(X) splits completely modulo p if and 
only if A = ±1 mod i. 

Note also the following result of Dewaghe [Sj in the formulation of . 

Proposition 3.3. Let r = Resultant {gg.\ {X) : X 3 + a^(j)X + a§{j)). Then 



Let Ap = U 2 + DV 2 . We want to find the equation of a curve E/¥ p having 
cardinality m = p + 1 — U. The general algorithm is the following: 

procedure BuildEWithCM(D, U, V,p) 
{ Input: Ap = U 2 + DV 2 } 

1. For some invariant u, compute the minimal polynomial Ho[u]{X). 

2. Find a root xq of Hr)[u](X) modulo p. 

3. for all roots j of <I>[n](xo, J) mod p do 

a. compute E(j). 

b. If = p + 1 + U instead of p + 1 — U, replace E(j) by a twist. 




Classically, this enables us to fix the sign of A when t = 3 mod 4. 



4. Stating the problem 
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4.1. Eliminating bad curves. In general, the degree of <&[u](xq,J) is 
larger than 1 and we expect several roots in J, not all of which are in- 
variants of the curves we are looking for. 

In order to eliminate bad curves, we can use the following result. First, 
note that: 

A( J E(j))=2 12 -3 6 j 2 /(j- 1728) 3 . 

Proposition 4.1. Let Ap = U 2 + DV 2 . The number A(E(j)) is a square 
modulo p in the following cases: 

(i) D odd; 

(ii) 4 | D and 2 | V. 

Proof: 

(i) If a is as in Theorem 12.21 we deduce that \/— -D73 (a) is in Ok-, 
which means that i?-D W~ -D73] splits modulo p and therefore j — 1728 = 
—Du 2 mod p and we have (-^-) = +1 by hypothesis. 

(ii) Theorem O tells us that Q(j 3 (a)) = Q(j(2a)). But p splits in the 
order O2 and therefore in Q^t, which shows that the minimal polynomial of 
73 splits modulo p, proving the result. □ 

Coming back to our problem, we see that when the above result applies, 
a good curve is such that ( A ) must be equal to 1. 



4.2. Deciding which curve is good. We can assume that we are left with 
only one possible j and that we want to compute the cardinality of E(j) 
as quickly as possible. Let us explain our idea. Let V = DV 2 . Suppose 
that £ ^ p is an odd prime (the case £ = 2 will be dealt with later) and 
(=f) 7^-1. In that case, Theorem 13.31 applies and if we can find one 
eigenvalue A, we can find U mod I. If U ^ mod £, then we can find the 
sign of U. Note that if £ \ D, then U ^ mod £. 

The most favorable case is when £ \ T>, because then there is only one 
eigenvalue A (it can be a double one) and A = U/2 mod £. Having A gives 
us immediately the sign of U. A very favorable case is when £ = 3 mod 4, 
using Dewaghe's idea. 

Apart from this, there is another interesting sub-case, when we can find 
a rational root xo of gf Xl using for instance some class invariant. In that 
case, we can form y\ = xjj + axQ + b mod p and test whether yo is in ¥ p or 
not. If it is, then A = 1, since (xo,yo) is rational and ir(P) = P. Otherwise, 
A = -1. 

Our idea is then to use the general framework for some precise values of £, 
and use rational roots of gi \ obtained via class invariants. When £ = 3, we 

are sure to end with a rational root of f^^\x), as is the case for £ = 2 and 

f^^. Moreover, we can use some invariant that give us the torsion points 
directly. We also give examples for £ = 5, 7, 11. 
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5. The case t = 3 

We suppose that 4p = U 2 + DV 2 . The first subsection makes precise the 
above results. 

5.1. Using 3-torsion points. We begin with an easy lemma that can be 
proved by algebraic manipulations: 

Lemma 5.1. Let v be any root of $%(X,j) = 0. Then a root of f$ (X) is 
given by 

(v + 27)(v + 3) 
X3 ~ v 2 + 18v - 27 ' 

Proposition 5.1. Let p be a prime representable as 4p = Uq + DVq , for 

which 3 | DVq and jj^E = p + 1 — U. Suppose P = (£3,2/3) is a 3-torsion 
point on E(j) for which x 3 is rational. Let s = + a^(j)x 3 + ae{j) mod p. 
Then U = 2 (g) mod 3. 

Proof: This is a simple application of Theorem 13.31 □ 

5.2. Solving the equation ^(X,j(E)) = 0. 

5.2.1. The case (-j^) / —1- A solution of this equation is given by tog 2 , 
which lies in f2i with the hypothesis made on D. 

Numerical examples. Let H^ 15 [tvl 2 } = X 2 + 81 X + 729, p = 109, Ap = 
14 2 + 15 x 4 2 , v 3 = 3, x 3 = 104, E : Y 2 = X 3 + 94X + 99; U = ±14. Since 
A = 1 mod 3, we conclude that U = 14 and E has 109 + 1 — 14 points. 
Take D = 20 and p = 349. We find (U, V) = (±26, ±6). We compute: 

if_2o[ro3 2 ] = X 2 + (70 - 22 V / ^20)X - 239 - 154^/^20. 

Using v 7- 20 = 237 mod p, a root of this polynomial is v% = 257, from which 
j = 224 and E(j) : Y 2 = X 3 + 45X + 30. Now A = -1, which gives us that 
#E = 349 + 1 + 26. 

5.2.2. The case (^p) = — 1- We may solve the degree 4 equation $3 (X,j (a)) = 
directly. 

In Skolem's approach |2H] , to compute the roots of a general quartic (with 
ai and 03 not both zero) 

P{X) =X 4 + ai X 3 + a 2 X 2 + a 3 X + a 4 

one uses the four roots Xi of P to define 

(3) { z 2 = X 1 -X 2 + X^-X A , 
( z 3 = X 1 -X 2 -X 3 +X A . 

Writing yi = z 2 , the ?/i's are roots of 

(4) R(y) = y 3 + b iy 2 + b 2 y + 63 
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in which 

r b x = 8a 2 -3a 2 , 

(5) < 62 = 3af — 16afa 2 + 160103 + 16a 2 — 64a4, 

( 63 = -(a? -4aia 2 + 8a 3 ) 2 . 

Conversely, if the j/j's are the roots of i? and if the Zj's are chosen in such a 
way that 

-ziz 2 z 3 = a x — 4oio 2 + 8a 3 , 

then the X^s defined by (jHJ) (together with X\ + X 2 + X% + X4 = — aj.) are 
the roots of P. 

In our case, we find that 

R(Y) = Y 3 - 1728F 2 - 576(j(«) - 1728)y - 64(j(a) - 1728) 2 

and the compatibility relation is ziz 2 z 3 = 8(j(a) — 1728). Since we suppose 
that 3 \ D, we replace j(a) by 7 2 (a) 3 . In that case, the roots of R(Y) are 

4(ClS2(«) 2 + 12Ch2(a) + 144) 

for i = 0, 1, 2. Studying the roots of these numbers as class invariants could 
probably be done. The function 

V 12(a) 2 + 1272(a) + 144 

has been introduced via a different route by Birch in [I] and the theorems 
proven there could be used in our context, though we refrain from doing so 
in this article. 

Let us summarize the algorithm to find the roots of ^(X,j(E)) modulo 
p when 3 \ D, 3 | V (which implies p = 1 mod 3): 

1. compute 7 2 modp; 

2. compute the values in = 4(C 2 *7 2 (a) 2 + l2Qj2(&) + 144) modp for 
* = 1,2; _ 

3. compute Zi = ^fyl mod p for i = 1,2 and z 3 = 8(7! — 1728)/(ziz 2 ) 
from which X\ = z\ + z 2 + z 3 — 36 is a root of <I> 3 (X, j). 

Notice that £ 3 mod p can be computed as follows (see P] for more on this 
sort of ideas): since 3 | p — 1, we can find a such that a^ p_1 ^ 3 ^ 1 mod p. 
Put (3 = a( p_1 )/ 3 . It satisfies C3 + C3 + 1 = mod p. Therefore, finding 
a root costs two squareroots and one modular exponentiation, once 7 2 is 
known. 

Numerical examples. Consider (D,p, U, V) = (40, 139, ±14, ±3). A root 
of #_ 40 [7 2 ](X) = X 2 - 780 X + 20880 modulo p is 110. Using C3 = 96, we 
compute v 3 = 109 and x 3 = 135. Then E : Y 2 = X 3 + 124X + 129 has 
A = 1 and U = 14. 

6. The case I = 5 

6.1. Using rD5. We assume here that (-7^) 7^ —1 and 5 | DV 2 . In that 
case, we can use some power of as invariant to get a root v§ of $§(X,j), 
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thus yielding a factor g 5 of / 5 . Writing: 

A = vl + 22v 5 + 125, B = v\ + 4w 5 - 1, C = uf + 10t> 5 + 5, 

one has: 

5 f {i) (A) = X 2 + 2(C/B)X + (1 - 36M)(C/S) 2 . 
Putting y = {B/C)X leads us to (y + l) 2 - 36/A At this point, since 

. _ (t;§ + 10^5 + 5) 3 
3 V5 

we also have: 

. (^ 5 2 + 22 U5 + 125) {v b 2 + Av b -lf 
j — 1728 = — 

or A = v 5 (j - 1728)/ B 2 . 

6.1.1. T/ie case C/ = ±2 mod 5. We deduce that p = 1 mod 5 and gf^\x) 
has two rational roots. 

Examples. Take D = 35 for which 

fr_ 35 [tt)f](X) = X 2 + 50X + 125. 

Take (p,U,V) = (281, ±33, ±1). We first use v 5 = 163 to compute E(j) : 
Y 2 = X 3 + 32X + 115 and gf ij \x) = X 2 + 245X + 198. From this, we 
get X5 = 227 and find that x\ + a4(j)xs + ae(j) is a square in F p , so that 

Consider now D = 91 for which (-^p) = +1. We find: 

iZ_ 91 [tt>[j] = X 2 + (130 - 40 v /r 91)X - 99 - 8^/^91. 

Taking (p, 17, V) = (571, ±3, ±5), we use = 342 mod p, find v 5 = 216 

from which j = 533 and E(j) : Y 2 = X 3 + 181X + 311. Then gj? {j \x) = 
X 2 + 213X + 412 which has a root x 5 = 315. We find that A = -1 and 
U = 3. 

6.1.2. T/ie case {7 = ±1 mod 5. One has p = 4 mod 5 and gf^(X) is irre- 
ducible; the eigenvalue is A = U/2 = ±2 mod 5. We can compute it using 
the techniques of SEA, that is test the identity 

(XP,Y*) = [±2](X,Y) modg^\x). 

(Actually, checking the equality on the ordinates is enough.) Depending on 
the implementation, this can cost more than testing [m]P on E. 
Example. Consider (D,p, U, V) = (35, 109, ±11, ±3). One computes v$ = 
76 and gf ij) (X) = X 2 + 13X + 13. We compute 

(X P ,Y P ) = (108A + 96,y(72X±43)) = [2]{X,Y). 



Therefore, U = —11. 
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Consider (D,p,U,V) = (91, 569, ±1, ±5). We find E(j) : Y 2 = X 3 + 
558X + 372, gf U) (X) = X 2 + 100X + 201 and 

(X*,Y*) = [2](X,Y) 

so that U = —1. 

6.2. A remark on the case D = 20. We will take a route different from 
that in [THj. Write p = a 2 + 5b 2 . Let e = (1 + \/5)/2 be the fundamental 
unit of Q(V5). We have 

162375 89505 V~5 54125 29835^/5 

° 4 ~ ~ 87362 174724 ' ° 6 ~~ ~ 43681 87362 
and f§{X) has the factor: 



I 418 418 i 174724 87362 



695 225 \/5 \ v 129925 45369^/5 



of discriminant: 

A 



3 2 f 7 + V5~\ A f 9 + V5~\ 2 V5 



ll 2 • 19 2 I 2 / I 2 \ e\ 



which is congruent to e§\fh modulo squares. Now, by Toj. we have 

/ e V5 \ (P^ 



\ p I V5/4 

When p = 1 mod 20, A is a square modulo p and there are two abscissas in 
F p . Now, a = ±1 mod 5 and thus 

= 1 + 1 ± 2 mod 5. 

We can distinguish the two cases by computing y^: It is in ¥ p if and only if 
m = mod 5. 



7. Numerical examples for £ = 3 mod 4 
7.1. The case 1 = 7. 

Lemma 7.1. Lei tv 6e a root of $ 7 (X,j) and put 

A(v 7 ) = vj + 14 + 63 1; 2 . + 70 f 7 - 7. 

T/ien 

Resultant^ (X),X 3 + a 4 (J)X + a 6 (j)) = -3jv 7 A(v 7 )S(v 7 ) 2 
for some rational fraction S with integer coefficients. 
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Proof: using Maple, we compute: 

Resultant ( 57j A , X 3 +a 4 (j)X+a 6 (j)) = -2 12 -3 9 - (v 2 + 13v 7 + 49) 3 (v 7 2 + 5v 7 + l) 

from which the result follows. □ 
Take D = 91 for which 

fl_ 9 i[tt>7] = X 2 ±77X±49. 

Take (p, [7, V) = (107, ±8, ±2). We find v 7 = 62 from which g 7 {j) (X) = 
X 3 + 104X 2 + UX + 73. Using E(j) : Y 2 = X 3 + 101X + 103, we find 
r = 13 and (-^) = 1 and therefore U = 8. 

For (D,p, 17, V) = (20, 569, ±36, ±7), we compute: 

H_ 20 [k> 7 ]{X) = X 2 + (15 - V^20)^ + 41 - 6\/^20 

one of which roots modulo p is v 7 = 195 (taking \/— 20 = 320). Then 
E(j) : Y 2 = X 3 + 289X + 3 has g 7 {i) (X) = X 3 + 111X 2 + 185X + 94 from 
which U = 36. 

7.2. The case £ = 11. In that case, the modular equation is quite large. 
However, if we restrict to the case where 3 \ D, we can use the modular 
equation relating ro^ and 72: 

X 12 - 1980 X 9 + 880 72X 8 + 44 7 f X 7 + 980078 X 6 - 871200 72X 5 + 150040 7 f X 4 
+ (47066580- 7865 7 ^) X 3 + (l54 7 | + 560560 72) X 2 + (l244 7 f - 7 |) X + 121. 

Consider (D,p,U,V) = (88, 103, ±18, ±1). First, we find: 

fl_88[tt>n]P0 = X 2 - 66X + 121 

a root of which is wu = 21. Plugging this into the modular equation, we 
find 72 = 63, from which j = 66 and E(j) : Y 2 = X 3 + 73X + 83. Using the 
techniques of SEA, we find that 

gn = X 5 + 81X 4 + 22X 3 + 55X 2 + 99X + 15 

and the resultant is 98, so that U = 18. 

Note that the techniques needed to compute gn are probably too heavy 
to make this case useful. However, we provide it as a non-trivial example. 

8. The case 1 = 2 



The points of 2-torsion cannot be used in our context, since they have 
ordinate 0. So we must try to use 4-torsion points instead. We suppose that 
— D is fundamental. 
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8.1. Splitting ff^. Curves having rational 2-torsion are parametrized by 
Xq(2), or equivalently, j(E) = (u + 16) 3 ju. Notice that: 

ill — ! — i \ ! I 17/ > 4 ~ 

(6) j - 1728 = 7 3 2 



2 (u + 64) (it -8)' 



Using algebraic manipulations (and Maple), f±^\x) factors as P2(X)P^(X) 
where: 

W)=x2 + 2!i ±16 x+ (n-80)(n + 16) 2 



8 " ' ( u -8) 2 (u + 64) ' 

P A (X) = X*-2 U -±^X*-12 -±^L_X 2 -2 <J« + l*H« + l*f x 
y ' u-8 (u + 64)(u-8) ( u + 64 )( u _8)3 

(5 u 2 + 640 u - 256) (u + 16) 4 
(u + 64) 2 (u - 8) 4 ' 
The polynomial P2 has discriminant: 

2 (u + 16) 2 



Ao(u) = 12 



(u-8) 2 (u + 64)' 

The polynomial P4 has the following property. If (u + 64)/u = v 2 , then it 
splits product of two quadratic polynomials: 

9 (v 2 + 3) (v 2 + I2v -9) (v 2 + 3) 2 
G a {X) = X 2 + 2 ^- ^-JC + 



v(v + 3) ( v + 3) 2 (« - 3) 2 v 2 ' 

2 (v 2 + 3) (v 2 -12v-9)(v 2 + 3) 2 
G b {X) = X 2 + 2 — £X + ^ 5 — ^-3 '—. 

^ ' v(v-3) (y + 3 ) 2 (v- 3)V 

Proposition 8.1. Suppose that (D,p,V) satisfies one of the conditions of 
Proposition \4-l\ and that u is a square. Then P2 splits modulo p. 

Proof: Equation © tells us that u(u + 64) is a square modulo p, which 
implies that A^u) is also a square. □ 

Notice that generally, at least one of the roots of <&%{X, j)i denoted by u, 
will be the square of some Weber function, see |24j . 

8.2. Eigenvalues modulo 2 k . Our idea is to use the roots of the character- 
istic polynomial x(X) = X 2 — UX + p modulo powers of 2 and deduce from 
this the sign of U when possible. This subsection is devoted to properties 
of these roots. 

Since p = 1 mod 2, x{X) has roots modulo 2 if and only if U = mod 2. 
Modulo 4, x(X) has roots if and only ii U = (p + 1) mod 4, which we 
suppose from now on. It is not enough to look at this case, since we have 
U = mod 4 or U = 2 mod 4 and in both cases, and we cannot deduce from 
this alone the sign of U. We will need to look at what happens modulo 8. 
We list below the cases where x(X) has roots modulo 8 and then relate this 
with the splitting of p. 
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Lemma 8.1. The solutions of X 2 = A mod 8 are ±2. 

Lemma 8.2. Write e = ±1. We give in the following table the roots of 
X(X) modulo 8: 



p mod 8\U mod 8 





2e 


4 


1 





{£,£ + 4} 





3 








{±1,±3} 


5 





{-£,-£ + 4} 





7 


{±1,±3} 









Proposition 8.2. Let Ap = U 2 + DV 2 . The polynomial x(X) has roots 
modulo 8 exactly in the following cases: 

(i) 4 | D and 2 | V; 

(ii) 4 \ D and [(A \ V) or (2 || V and D = 7 mod 8)]. 
Proof: 

(i) If V is even, we deduce that U 2 = Ap = 4 mod 8, x(X) is one °f 
X 2 - 2eX + 1 or X 2 - 2eX + 5 by Lemma ED The result follows from 
Lemma 18.21 

What can be said when V is odd? When 4 || D, this means that p = 
(U/2) 2 + (D/A)V 2 , implying that U = mod 4 and p = 1 mod 4 (since -D 
is fundamental, D/4 = 1 mod 4), but then U ^ p + 1 mod 4. 

When 8 | D, then p = {U/2) 2 + (L»/4)y 2 with U = ±2 mod 8, but 
p = 3 mod 4 and again U ^ p + 1 mod 4. 

(ii) In that case, U and V have the same parity. If U and V are odd, this 
implies m = p + 1 — U is odd, so that we do not have 2-torsion points. If U 
and V are even, so is m and p = (U/2) 2 + D(V/2) 2 . 

If V/2 is even of the form 2V', then p = (U/2) 2 + ADV' 2 ; U/2 must be 
odd and p = 1 mod 4 and we conclude as in case (i). 

If V/2 is odd, then p = (U/2) 2 + DV' 2 with V odd, which implies 17/2 
even, that is U = mod 8 or U = 4 mod 8. One has p = (U /2) 2 + D mod 8. 
If 7> = 7 mod 8, then (U,p) = (0,7) mod 8 or (4,3) mod 8 and the two 
characteristic polynomials have four roots modulo 8. If D = 3 mod 8, then 
(U,p) = (0, 3) or (4, 7) modulo 8 and xPQ nas no roots. □ 

8.3. Computing the cardinality of CM-curves. This section makes use 
of the theory of isogeny cycles described in [Tj E] • 

With the notations of the preceding section, we suppose we are in the 
case where U = 2e mod 8, or equivalently 4 | D and 2 | V, or 4 { D and 
4 | V. 

From Proposition |H3 we know that the factor P2 (X) of f± has at least 
two roots modulo p. If X4 is one of these and s = x\ + ax^ + b, we let = \fs 
(a priori in F p 2) and P = (x±,y±). Now vr(P) = ±P according to the fact 
that s is a square or not. We have our eigenvalue A4 = ±1 mod 4. By the 
theory of isogeny cycles, the eigenspace C4 generated by P can be lifted to 
an eigenspace C% of E[8] associated to the eigenvalue As which is congruent 
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to A4 modulo 4. Since U = 2e mod 8, we know from Lemma 18.21 that only 
one of the possible values of As reduces to a given A4, which gives us e. 

In practice, is relatively inexpensive to use when u is the square of a 
Weber function, which happens in the case 4 | D or D = 7 mod 8 (for this, 
one uses an invariant for — 4D instead of — D, and both class groups have 
the same class number, see jH])- When D = 3 mod 4, ht = Shi, which is not 
as convenient; still, a root of ^(X^ j) exists, since it is in and p splits in 
it. 

Examples. First take (D,p, U, V) = (20, 29, ±6, ±2). We find u = 7, j = 23 
and E(j) : Y 2 = X 3 + 3X + 2. From this, P 2 has a root x 4 = 7 and A 8 = -1, 
so that U = —6. 

Now take (D,p,U,V) = (40, 41, ±2, ±2). We compute u = 16, j = 39, 
E(j) : Y 2 = X 3 + 30X + 20, x 4 = 19 and A 8 = -1 implying U = -2. 

Let us turn to odd D's. Take (D,p,U,V) = (15, 409, ±26, ±8). Then 
u = 102, j = 93, E : Y 2 = X 3 + 130X + 223, x 4 = 159 yielding A 8 = -1 
and U = -26. 

8.4. The case D odd. In that case, &2(X,J) will have three roots in ¥ p 
or F p 2, that we can compute directly. This could be useful for the cases not 
treated by the the preceding section. 
Let us try to solve the equation 

J) = X 3 + 48 X 2 + 768X - JX + 4096 = 

directly. As in [3] (already used in JH])) we first complete the cube letting 
Y = X + 16 to get: 

(7) Y 3 - JY + 16 J = 0. 

We look for a and f3 such that this equation can be rewritten: 

Y 3 - 3af3Y + a(3(a + (3) = 0. 

The coefficients a and (3 are solutions of 

W 2 - ASW + J/3 = 

whose discriminant is A = (— 4/3) (J — 1728). Having a and (3 (in ¥ p or 
F p 2), we solve 



,3 



a 



and we get a root 

y _ /3z-a 
z- 1 

of 0. 



Since D is odd, \/—D^ is an invariant, so that we can write: 



3 V ^^ ^ D 
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The computation of the roots then depends on (-^) =1. It is not clear that 
the above mentionned approach is really faster than the naive one. 

9. Applications to ECPP and conclusion 

In ECPP, the situation is as follows. We are given j and m = p + l — U for 
some known U. We have to build an elliptic curve E having invariant j and 
cardinality m. We use the results of the preceding sections in the following 
way. We build a candidate E and compute its cardinality m' . If m! = m, 
then E is the correct answer, otherwise, we have to twist it. 

In a comparison of all possible class invariants for a given D was 
made using the height of their minimal polynomial. Though it is clear that 
it is easier to use invariants of small height, the results of the present article 
show that we might as well favor those invariants that give us a fast way of 
computing the right equation instead. 

For instance, if (D,6) = 1, using Stark's ideas whenever possible is a 
good thing. When 3 | D or 7 | D, tos or tt)7 should be preferred since we 
have a fast answer. Note now a new phenomenon. If we are interested in a 
prescribed p, we should use an invariant which depends on D, but also on 
p, or more precisely on the small factors of V. For instance, if 3 | V, we 
can use the direct solution of ^(X, J). If not, we may use some case where 
= +1, and £ | V. 

The present work has enlarged the set of -D's for which the corresponding 
E's are easy to find. Nevertheless, there are cases which are badly covered 
(for instance odd primes which are non quadratic residues modulo 8, 3, 5, 
7, such as D = 163) and that will require new ideas to be treated. 

Acknowledgments. The author wants to thank A. Enge for his careful 
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